Yesterday, the U.S. Department of Health and Human Services (“HHS”) announced a new record settlement for a data breach involving electronic protected health information (“ePHI”). With regulators becoming more aggressive, fines ramping up, and a changing regulatory regime in both the U.S. and the E.U., it is becoming very expensive not to take data security and data incident response seriously.
Anthem, Inc., one of America’s largest health insurance companies, agreed to pay $16 million to the HHS to settle potential violations of the Health Insurance Portability and Accountability Act (“HIPAA”) for a data breach in 2015 that resulted in the exposure of 79 million individuals’ ePHI records. According to HHS, the allegations that resulted in a record settlement consisted of Anthem’s alleged failure “to identify and respond to suspected or known security incidents” as well as insufficient procedures to regularly review information system activity, failure to conduct an enterprise-wide risk analysis, and failure to implement adequate minimum access controls to prevent the cyber-attackers from accessing sensitive ePHI.
The allegations make it clear that when bringing an action and assessing a fine, HHS will consider both a company’s failure to take adequate preventive measures related to information security as well as the lack of expedient and proper response and remediation efforts once a breach occurs.
The settlement is yet another in a series of data breach-related enforcement actions around the world. Less than a month ago, Uber agreed to a $148 million settlement -- the largest data breach settlement in U.S. history. Meanwhile, Equifax agreed to pay a whopping £500,000 just a week before by the Information Commissioner’s Office for its own 2017 data beach. The Equifax fine was the maximum possible penalty for a pre-General Data Protection Regulation (“GDPR”) incident, which may have both British Airways and Facebook sweating as both companies suffered their own massive data breaches in the last month, with the larger penalties that GDPR allows now available to regulators.
The recent enforcement actions illustrate that following best practices regarding information security as well as adequate response and remediation will go a long way in decreasing or even avoiding fines.
“Unfortunately, Anthem failed to implement appropriate measures for detecting hackers who had gained access to their system to harvest passwords and steal people’s private information.” – OCR Director Roger Severino